• Delivering a scalable appliance that is easy to deploy and use with the lowest total cost of ownership (TCO)

Cisco Security MARS transforms raw network and security data into intelligence that can be used to subvert valid security incidents and maintain compliance. Cisco Security MARS enables operators to centralize, detect, mitigate, and report on priority threats using the network and security devices already deployed in your infrastructure.

The Defense-in-Depth Dilemma

Information security practices have evolved from Internet perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. Layering is necessary because of increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity.

Network access points and systems are probed thousands of times each day in an attempt to exploit vulnerabilities. Modern blended/hybrid attacks use multiple and deceptive attack methodologies to gain unauthorized system access and control from outside and within organizations. The proliferation of worms, day-zero attacks, viruses, Trojan horses, spyware, and attack tools challenges even the most fortified infrastructures, resulting in shorter reaction time and costly remediation.

In addition to the number of servers and network devices, each security component offers isolated event log and alert features for anomaly detection, threat reaction, and forensics. Unfortunately, this isolation yields a tremendous amount of noise, alarms, log files, and false positives for operators to discern or effectively utilize. In addition, compliance legislature requires strict data privacy, improved operational security, and documented audit processes.

Advancing Security Information Management and Threat Mitigation

Security information and event management products logically seem to alleviate these problems-helping you measure threats so you can manage them. These products enable operators to centrally aggregate security events and logs, analyze this data through limited correlation and query techniques, and generate alarms and reports about isolated events.

As events and data are received, the information is normalized against the topology, discovered device configurations, and same source and destination applications across Network Address Translation (NAT) boundaries. Corresponding events are grouped into sessions in real time. System- and user-defined correlation rules are then applied to multiple sessions to identify incidents. Cisco Security MARS ships with a full complement of predefined rules, frequently updated by Cisco, which identify a majority of blended attack scenarios, day-zero attacks, and worms. A graphical rule definition framework simplifies the creation of user-defined custom rules for any application. ContextCorrelation significantly reduces raw event data, facilitates response prioritization, and maximizes results from deployed countermeasures.

High-Performance Aggregation and Consolidation

Cisco Security MARS captures millions of raw events, efficiently classifies incidents with superior data reduction, and compresses this information for archival. Managing this high volume of security events requires a secure and stable centralized logging platform. Cisco Security MARS appliances are security-hardened and optimized for receiving extremely high levels of event traffic: more than 15,000 events per second or more than 300,000 Cisco NetFlow events per second. This high-performance correlation is made possible through inline processing logic and the use of embedded high-performance database systems. All database functions and tuning are transparent to the user. Onboard storage and continual compression of historical data archives to network file system NFS, and Secure File Transfer Protocl (sFTP) secondary storage devices make Cisco Security MARS a reliable security log aggregation solution. MARS also supports data and configuration backup and recovery via NFS, and sFTP.

Cisco SureVector analysis processes similar event sessions to determine if threats are valid or have been countered by assessing the entire attack path, down to the endpoint MAC address. This automated process is accomplished by analyzing device logs such as firewalls and intrusion prevention applications, third-party vulnerability assessment data, and Cisco Security MARS endpoint scans to eliminate false positives. Users can quickly fine-tune the system to further reduce false positives.

The goal of any security program is to keep systems online and functioning properly-this is critical for preventing security exposures, containing incidents, and facilitating remediation. With Cisco Security MARS, operators have a rapid means to understand all of the components involved in an attack, down to the offending and compromised system MAC address. Cisco AutoMitigate capabilities identify available "chokepoint" devices along the attack path and automatically provide the appropriate device commands that the user can employ to mitigate the threat. The results can be used to quickly and accurately prevent or contain an attack.

Cisco Security MARS offers numerous predefined reports to satisfy operational requirements and assist in regulatory compliance efforts, including compliance with the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley, Gramm-Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA) in the United States; the EU's Revised Basel Capital Framework (Basel II); and others. An intuitive report generator can modify the more than 100 standard reports or generate new reports for an unlimited means to build action and remediation plans, incident and network activity, security posture and audit, as well as departmental reports-in data, trend, and chart formats. The system also provides for batch and e-mail reporting.

Rapid Deployment and Scalable Management

Cisco Security MARS is placed on a network, where it can send and receive syslog messages and Simple Network Management Protocol (SNMP) traps and can establish secure sessions with deployed network and security devices through standard secure or vendor-specific protocols. No additional hardware, operating system patches, licensing, or lengthy professional service engagements are required to install and deploy Cisco Security MARS. Simply configure your log sources to point to Cisco Security MARS and define any network and source through the Web-based GUI. Cisco Security MARS can also forward syslogs to an external syslog server to integrate with existing network infrastructures.

Cisco Security MARS supports the optional Global Controller appliance which centralizes security Local Controller reporting to provide a single view report aggregation of the enterprise Local Controller environment.

Global Controller Capabilities include:

• Aggregation of reports across the Local Controller deployment

• Defining Rules, Reports and User accounts for Local Controllers (Note: Configuration of Local Controller is done "locally" on the individual LC appliance)

• Remote, distributed upgrade of the Local Controllers

Cisco Security MARS Technical Specifications

Release Information

Cisco Security MARS Release 6.0 is targeted for release August 2008 and will support both first-generation and second-generation hardware platforms at this time. The first-generation platform, which was supported under 4.x releases, will require reimaging to the Release 6.0 images. The second-generation platforms may move through a standard upgrade process to upgrade to this new release.

The Cisco Security MARS family offers different performance characteristics and prices to meet a variety of organizational needs and deployment scenarios (Table 1).

Cisco takes a lifecycle approach to services and, with its partners, provides a broad portfolio of security services so enterprises can design, implement, operate, and optimize network platforms that defend critical business processes against attack and disruption, protect privacy, and support policy and regulatory compliance controls.

Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. Cisco services include:

• The Cisco Security Intellishield Alert Manager Service provides a customizable, Web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.

• Cisco Security Optimization Service: Increasingly, the network infrastructure is the foundation of the agile and adaptive business. The Cisco Security Optimization Service supports the continuously evolving security system to meet ever-changing security threats through a combination of planning and assessments, design, performance tuning, and ongoing support for system changes. This service helps integrate security into the core network infrastructure.